Ashish Mishra <ashishm@xxxxxxxxxx> writes: > Hi Dominick / Ondrej , > > Thanks for valuable inputs , I will try to evaluate them . > > Ashish We have a IRC channel on chat.freenode.net where we can have casual and more interactive conversations if youre interested in that https://freenode.net/kb/answer/chat > > On Wed, Jan 6, 2021 at 9:30 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: >> >> On Wed, Jan 6, 2021 at 4:40 PM Dominick Grift >> <dominick.grift@xxxxxxxxxxx> wrote: >> > Ashish Mishra <ashishm@xxxxxxxxxx> writes: >> > >> > > Hi Dominick , >> > > >> > > Will look at the re-labelling as you suggested. >> > > Is there any doc / blog / implementation etc to understand the >> > > sequence and commands to do this. >> > > To understand this step in a better way. >> > > >> > > We are working with such a setup freshly so any inputs / guidance will >> > > be helpful. >> > > >> > > Thanks for your time & inputs for this long thread . >> > >> > For docs i would suggest selinuxproject.org and >> > https://github.com/SELinuxProject/selinux-notebook/blob/main/src/toc.md >> > >> > For implementations i would suggest looking at how OpenWrt implemented >> > SELinux as this is a very simple implementation and the target seems to >> > be relatively similar to yours with the exception that OpenWrt does not >> > use a volatile root but instead uses a read-only squashfs and a overlay. >> > >> > You can also look at Fedora CoreOS for inspiration, and Googles SEAndroid. >> > >> > Implementing meaningful SELinux for exotic use cases like yours is not >> > trivial though IMHO. Using reference policy as a base-policy might not >> > be optimal for your use-case (to say the least) and it would probably be easier to create a >> > policy from scratch instead in the longer run. >> >> Well said. I'll just add that you'll at the very least need to remove >> the "genfscon" rule for "rootfs" from your policy and replace it with >> an appropriate "fs_use_xattr" one to be able to relabel the root >> filesystem. (Assuming it uses tmpfs under the hood (or supports >> xattrs), otherwise you may need to mount tmpfs somewhere and chroot >> into it at the beginning of your init script. Or something like >> that...) >> >> -- >> Ondrej Mosnacek >> Software Engineer, Platform Security - SELinux kernel >> Red Hat, Inc. >> -- gpg --locate-keys dominick.grift@xxxxxxxxxxx Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift
